From e12c404e13e8bc0eaab4b1aeeb3a6af0cc79dd49 Mon Sep 17 00:00:00 2001 From: merakor Date: Mon, 18 May 2020 00:12:29 +0000 Subject: kiss: prevent privilige escalations through user defined hooks During installation, the script is run as root, but out KISS_HOOK variable stays the same. This is a critical bug since a user can only have permissions to install packages as root, but not for any other privilige escalation. A user can abuse the KISS_HOOK in order to become root, possibly with a `/sbin/login` command on the hook file. This change checks for a fourth argument and overrides the KISS_HOOK to `$KISS_ROOT/etc/kiss-hook` FossilOrigin-Name: 67041b182d9524fcfa8292e7167f249b99851129cda0d7fe9e4fdff8388063b6 --- CHANGELOG.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'CHANGELOG.md') diff --git a/CHANGELOG.md b/CHANGELOG.md index 6bee04c..edc0948 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,8 @@ this project _somewhat_ adheres to [Semantic Versioning]. [Keep a Changelog]: https://keepachangelog.com/en/1.0.0/ [Semantic Versioning]: https://semver.org/spec/v2.0.0.html -1.22.2 - 2020-05-16 + +1.22.3 - 2020-05-18 ------------------- **NOTE:** `1.22.x` is the last minor version before `2.0.0`, meaning I will not be doing any @@ -15,6 +16,15 @@ releases except for patches and fixes. My attention is now on implementing binar I will be doing some 'release candidates' before release, as binary repositories will need user feedback. +### SECURITY +- Fixed a bug regarding privilige escalation using `$KISS_HOOK`. `kiss` will now use + `$KISS_ROOT/etc/kiss-hook` on installation operations (which are run by root) so that the hooks + are defined by the system administrator rather than the user. + + +1.22.2 - 2020-05-16 +------------------- + ### Fixed - Fixed an issue where `pkg_conflicts` would abort if `kiss-readlink` failed due to missing components. It now fallbacks to the original directory name. -- cgit v1.2.3